Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2022 06:18
Static task
static1
Behavioral task
behavioral1
Sample
tochi8890.exe
Resource
win7-20220812-en
General
-
Target
tochi8890.exe
-
Size
380KB
-
MD5
e6a3f8446e8c63e54c07d19e998beadc
-
SHA1
6ca4d481b05669ea71d3bc4bad3ba4cb8b08a83a
-
SHA256
5c7f3940dc39fd1f58d2d5a3d8666d6530ceb4ae9271dd3261d4f2523f517fb8
-
SHA512
2f54a3c6a38fddb04f8bf18fa7e0b6b59ee8c50833da05c6ad400680d4a7c484f52e07dd932f5395dd38fe539f4ae14be5418fc9c24d0261d1a05814a4c2fa60
-
SSDEEP
6144:XEbDTKQSvqBwF02+YAUKl1NT9nDT43GhfKHW42g7w7tBD/6pV5lPhDoLVX/sQwlq:8cT2/U8rTxDT7fK2Xg7w7bDipVto9/DH
Malware Config
Extracted
formbook
4.1
lh24
50spage.com
acesalamo.xyz
magicair.org.uk
jrroyalps.com
hohot.xyz
affichecrea.com
2048xtw.net
atlas-pars.com
cqxjbz.com
180bingxue.com
coupdechacal.com
k00050.com
twin-vitro.net
haverninstitute.com
espada-japonesa.com
launchcu.info
discountauto.club
8o7eventhebrand.com
fishersmarinaandcampground.com
crystalfloodplain.com
ironsann.com
bravosnc.com
awesome-links.com
conviveum.com
carysilsteel.com
lui-centr.ru
invarxsdu.space
cdkam.top
studio11haircare.com
heating-system-70624.com
nairasense.africa
koreaset.com
finehouse.click
cenlxbvbipqlkgei.com
diamondiptveu.com
christopherko.africa
inovainvestcred.com
bancone.info
imaginarygaming.com
benjaminmiore.com
williamhewitt.co.uk
piksom.com
drinkdetroit.com
houstontx-painter.com
adriana-hasbun.com
add-ork.com
gdjaje.com
menshealthpv.net
backstagecyprus.com
geteyesonyourbook.com
basicdyesexport.com
artandcraftshop.com
lingerie-88231.com
kaileynguyen.buzz
lpdfccw.com
avtohisa.com
chefzoolicious.com
vcikme.xyz
kirikourses.com
haruku55.com
bookbyatlanta.com
divers.pics
brottsplatssverige.nu
ankylosaurusmagniventris.guru
icmarkets.life
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3148-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3808-145-0x0000000000670000-0x000000000069F000-memory.dmp formbook behavioral2/memory/3808-149-0x0000000000670000-0x000000000069F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
ttyoe.exettyoe.exepid process 4784 ttyoe.exe 3148 ttyoe.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ttyoe.exettyoe.exeipconfig.exedescription pid process target process PID 4784 set thread context of 3148 4784 ttyoe.exe ttyoe.exe PID 3148 set thread context of 2716 3148 ttyoe.exe Explorer.EXE PID 3808 set thread context of 2716 3808 ipconfig.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3808 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
ttyoe.exeipconfig.exepid process 3148 ttyoe.exe 3148 ttyoe.exe 3148 ttyoe.exe 3148 ttyoe.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe 3808 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2716 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
ttyoe.exettyoe.exeipconfig.exepid process 4784 ttyoe.exe 3148 ttyoe.exe 3148 ttyoe.exe 3148 ttyoe.exe 3808 ipconfig.exe 3808 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ttyoe.exeipconfig.exedescription pid process Token: SeDebugPrivilege 3148 ttyoe.exe Token: SeDebugPrivilege 3808 ipconfig.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
tochi8890.exettyoe.exeExplorer.EXEipconfig.exedescription pid process target process PID 448 wrote to memory of 4784 448 tochi8890.exe ttyoe.exe PID 448 wrote to memory of 4784 448 tochi8890.exe ttyoe.exe PID 448 wrote to memory of 4784 448 tochi8890.exe ttyoe.exe PID 4784 wrote to memory of 3148 4784 ttyoe.exe ttyoe.exe PID 4784 wrote to memory of 3148 4784 ttyoe.exe ttyoe.exe PID 4784 wrote to memory of 3148 4784 ttyoe.exe ttyoe.exe PID 4784 wrote to memory of 3148 4784 ttyoe.exe ttyoe.exe PID 2716 wrote to memory of 3808 2716 Explorer.EXE ipconfig.exe PID 2716 wrote to memory of 3808 2716 Explorer.EXE ipconfig.exe PID 2716 wrote to memory of 3808 2716 Explorer.EXE ipconfig.exe PID 3808 wrote to memory of 1128 3808 ipconfig.exe cmd.exe PID 3808 wrote to memory of 1128 3808 ipconfig.exe cmd.exe PID 3808 wrote to memory of 1128 3808 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tochi8890.exe"C:\Users\Admin\AppData\Local\Temp\tochi8890.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ttyoe.exe"C:\Users\Admin\AppData\Local\Temp\ttyoe.exe" C:\Users\Admin\AppData\Local\Temp\bbrolivjxb.em3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ttyoe.exe"C:\Users\Admin\AppData\Local\Temp\ttyoe.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ttyoe.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bbrolivjxb.emFilesize
5KB
MD537c74f2e62c878a885e9b1b2731204a1
SHA10e6887424f72d065e7a7aed13acd8f9d520ec0de
SHA256881f7918c6d8a141de26482cc98509bf3be3dbc5af52f345a160f052b633f41f
SHA5126e79d452528a216667009c86ba994cb3ad6aa4ceef87983a20741c87fefbfed6ed0a9f30af90a46061738d0a6dfffe369e957f3867087bc342cc844ce6c91256
-
C:\Users\Admin\AppData\Local\Temp\grystrjwiw.upuFilesize
185KB
MD53b23ce4832dd07031686ace33dd01dc8
SHA1a6c1b097f577c7727bc495c693290b251cb3d95d
SHA256a2911789f25f27f25dee4e8064921b5cc0daf8a32b31c1b28641773fcbf2ee61
SHA51256aa25cc26a968df6bc34f1d433ec40508ef1bab51bda84c78b3d5396b90d02f7b3ecc30b29d9d461b3a010a844093c1d9b8a09ff610ea2c39ff2c313ce4b2cd
-
C:\Users\Admin\AppData\Local\Temp\ttyoe.exeFilesize
355KB
MD5d3c3a49590aae3fca49a9ba0721d8e9a
SHA10067538ee4356645d186202b15b1dd3345a21859
SHA2569113cfaddb26309e5a3e0c24d878f0c2d16395b6a8344b7b46dbb37b810bf8c9
SHA5122267e302f2e48b0336af7f37d8922b4c9644b5e361a575f2e17a235bb342a55bb22a0bc8ac3f5a6a263db812fd9cafa3aa8e5e7d70aa26f195c12f34db14963a
-
C:\Users\Admin\AppData\Local\Temp\ttyoe.exeFilesize
355KB
MD5d3c3a49590aae3fca49a9ba0721d8e9a
SHA10067538ee4356645d186202b15b1dd3345a21859
SHA2569113cfaddb26309e5a3e0c24d878f0c2d16395b6a8344b7b46dbb37b810bf8c9
SHA5122267e302f2e48b0336af7f37d8922b4c9644b5e361a575f2e17a235bb342a55bb22a0bc8ac3f5a6a263db812fd9cafa3aa8e5e7d70aa26f195c12f34db14963a
-
C:\Users\Admin\AppData\Local\Temp\ttyoe.exeFilesize
355KB
MD5d3c3a49590aae3fca49a9ba0721d8e9a
SHA10067538ee4356645d186202b15b1dd3345a21859
SHA2569113cfaddb26309e5a3e0c24d878f0c2d16395b6a8344b7b46dbb37b810bf8c9
SHA5122267e302f2e48b0336af7f37d8922b4c9644b5e361a575f2e17a235bb342a55bb22a0bc8ac3f5a6a263db812fd9cafa3aa8e5e7d70aa26f195c12f34db14963a
-
memory/1128-146-0x0000000000000000-mapping.dmp
-
memory/2716-142-0x0000000008D30000-0x0000000008E85000-memory.dmpFilesize
1.3MB
-
memory/2716-151-0x0000000008E90000-0x0000000008FD6000-memory.dmpFilesize
1.3MB
-
memory/2716-150-0x0000000008E90000-0x0000000008FD6000-memory.dmpFilesize
1.3MB
-
memory/3148-137-0x0000000000000000-mapping.dmp
-
memory/3148-141-0x0000000001600000-0x0000000001614000-memory.dmpFilesize
80KB
-
memory/3148-140-0x0000000001660000-0x00000000019AA000-memory.dmpFilesize
3.3MB
-
memory/3148-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3808-143-0x0000000000000000-mapping.dmp
-
memory/3808-145-0x0000000000670000-0x000000000069F000-memory.dmpFilesize
188KB
-
memory/3808-144-0x0000000000660000-0x000000000066B000-memory.dmpFilesize
44KB
-
memory/3808-147-0x0000000001040000-0x000000000138A000-memory.dmpFilesize
3.3MB
-
memory/3808-148-0x0000000000E80000-0x0000000000F13000-memory.dmpFilesize
588KB
-
memory/3808-149-0x0000000000670000-0x000000000069F000-memory.dmpFilesize
188KB
-
memory/4784-132-0x0000000000000000-mapping.dmp